Disable rate limiter in Laravel?
Stefan Izdrail
Founder & Senior Architect · 2026-06-29
Rate limiting is an essential security measure in web applications to prevent unauthorized access attempts and denial of service (DoS) attacks. However, sometimes developers need to test endpoints that receive a large number of requests or handle sensitive information. In such cases, disabling rate limiting on specific routes can be helpful in order to streamline the testing process. This blog post will dive into the details of how and when to disable rate limiting in Laravel applications.
Understanding Rate Limiting in Laravel
Rate limiting is a built-in feature in Laravel that uses middleware to limit the number of requests per unit time for a specific route. It helps avoid potential problems such as resource exhaustion or DoS attacks by ensuring only a limited number of concurrent requests are processed at any given time.
Enabling and Configuring Rate Limiter in Laravel
Developers can enable rate limiting by adding the Illuminate\RateLimiting\Limit middleware to their routes. By default, Laravel uses a 10-minute sliding window and a maximum of 60 requests per minute. The rate limit configuration is located in the \config\rate\_limiter.php file.
limit(60)->setExpireIn(10 * 60);
});
?>
The code above sets the maximum number of requests to 60 within a 10-minute sliding window for the specified 'api_requests' key. This ensures that only 60 requests per 10 minutes are allowed.
Disabling Rate Limiting on Specific Routes
Often, developers need to disable rate limiting for a specific endpoint to run tests or handle sensitive information securely. To achieve this, we need to use middleware groups and override the default configuration file. Here's how it can be done:
['except' => Route::current()->getRouteAction()['as']],
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Auth\Middleware\Authenticate::class,
// Add additional middleware if needed
]
));
// Define a new route group for the disabled rate limiting condition
Route::group($apiMiddlewareGroup, function () {
Route::get('/test', function (Request $request) {
// Your test endpoint code without rate limiting concerns
});
});
// Override the default rate limiter configuration file with a new one that has disabled rate limiting for 'api_requests' key
$config = config('rate_limiter');
$config['limits'] = array_merge($config['limits'], [
'disable_rate_limiter.api_requests' => [
'sliding_window' => 10,
'period' => 60,
'limit' => -1,
],
]);
config([
'rate_limiter' => $config,
]);
?>
The above code examples show how to disable rate limiting for a specific route group and then override the default configuration file by setting the specified key to have an unlimited number of requests. This ensures that the endpoint within this route is not affected by rate limiting while other routes remain protected.
Testing Endpoints with Disabled Rate Limiting
Now that you have disabled rate limiting for your test endpoint, you can safely test and run tests without encountering any 429 error responses. However, it is essential to keep in mind the appropriate use of this feature and not leave these disabled settings live on production servers.
Conclusion
Disabling rate limiting for specific routes can be a vital practice when testing or handling sensitive data endpoints. By following the steps outlined in this blog post, you can effectively disable rate limiting in your Laravel application while maintaining the security of other routes. Remember to always test thoroughly and practice good application security measures to keep your users' data safe.
Laravel Tips: For more information on disabling rate limiting for specific routes or further exploration of security best practices in Laravel, be sure to check out our comprehensive tutorials on the Laravel Company's website.